Category Archives: Security

aka infosec

Advance notification of November 2013 Patch Tuesday

Tuesday, November 12 will see a modest batch of updates from Microsoft. There will be eight bulletins in total, with five Critical updates addressing vulnerabilities in Windows and Internet Explorer, and three Important updates addressing vulnerabilities in Windows and Office.

The recently-discovered vulnerability in Office running on Vista will not get a patch on November 12, but Microsoft is working on it and will release it as soon as it’s ready.

Vulnerability in MS Office on Vista being actively exploited

Microsoft has issued a security advisory to users of Office on Windows Vista. A newly-discovered vulnerability in Microsoft Office versions 2003 through 2010, when running on Windows Vista, is already being exploited by nefarious hackers.

If you are using Office 2003 to 2010 on Windows Vista, you should take steps to protect yourself until Microsoft releases a patch for this vulnerability:

This vulnerability also affects Office 2003 through 2010 running on Windows Server 2008, but you shouldn’t be running desktop applications on server software anyway, right?

The MSRC blog has more information, as does an Ars Technica post on the subject.

Update 2013Nov09: apparently attacks based on this vulnerability are more widespread than was originally estimated.

Secunia’s Online Security Inspector is no more

The formerly excellent free OSI service provided by Secunia has been discontinued. I used the OSI service because it was an easy way to check for vulnerable software on any Windows computer.

Recently, OSI stopped working, and Secunia chose to retire the service rather than fix it. There’s probably more to their decision, but they’re not saying, at least not publicly. The OSI web site says only “We have discontinued the Secunia Online Software Inspector (OSI).” and recommends alternatives.

The primary alternative to OSI offered by Secunia is the “Personal Software Inspector”. As with OSI, PSI was developed in Java and requires Java to run. Unlike OSI, however, PSI runs as an application outside the context of your web browser. This has at least one advantage, in that there’s now one less reason to leave Java enabled in your web browser.

Unlike OSI, which was a strictly on-demand service, PSI by default sets itself up to start with Windows, checking for vulnerable software and updating it automatically. I’m not a fan of automatic updates: I want to be in control of what gets updated and when. Fortunately, PSI can be configured to only notify you of software that can be updated. You can also configure it NOT to start with Windows, but there are some additional steps you’ll need to take if you want to use PSI strictly on-demand.

PSI installs two services: Secunia PSI Agent and Secunia Update Agent. These services are configured to start automatically with Windows. If you want to run PSI on-demand only, you’ll need to change the Startup Type for both of these services from Automatic to Manual. When you run PSI, it will start both of these services. When you close PSI, it will stop the Secunia PSI Agent service, but leave the Secunia Update Agent running (it appears as sua.exe in the Windows process list). You’ll have to stop it manually.

Once PSI is running, it presents a list of installed software, along with status and options for each. We recommend changing the display to ‘Detailed View’ – click ‘Settings’ at the bottom of the PSI screen and enable that setting. While you’re there, you can also disable ‘Start on boot’ and select ‘Update handling: Notify’. For each application listed, the Status column shows the most obvious options, including ‘Download’ and ‘Update’. Right-clicking the entry for an application will show a context menu that allows you to see additional details about available updates, or choose to ignore updates for that application.

Warning: PSI seems to start scanning your computer before it presents any part of its user interface. That means you have to act quickly the first time you run it, if you want to configure it for on-demand scans only. Hopefully now that OSI users are migrating to PSI, Secunia will listen to their requests and make PSI more friendly to people who prefer the on-demand approach.

Additional information on setting up and using Secunia’s PSI can be found on this site’s ‘Scan for vulnerable software‘ page.

Nightmare malware: CryptoLocker

CryptoLocker is a particularly nasty piece of malware that has been terrorizing computer users since early September, 2013. It’s similar to other kinds of ‘Ransomware’ in that once it infects a computer, it offers to undo its effects if the perpetrator is paid.

Ransomware has been around for years, but CryptoLocker adds a new twist: it encrypts your data files – making them inaccessible – until you pay. So it’s not just annoying: it can effectively destroy your data. Without the proper key, the encrypted files cannot be decrypted. After you pay the ransom, CryptoLocker decrypts the encrypted files, making them usable again.

Other factors can exacerbate a CryptoLocker infection. IT workers who are able to remove the malware after data files have been encrypted may actually make things worse: without the malware in place, paying the ransom will have no effect – the files will stay encrypted.

CryptoLocker typically installs itself when an unwitting user opens an attachment in an email that appears to be from a legitimate business, such as a courier company. The attachment often looks like a PDF file, and appears harmless. But the attachment is actually executable, and it installs CryptoLocker. Once CryptoLocker is running, it will try to contact one of its control servers, from which it receives an encryption key. CryptoLocker then starts encrypting your files: it looks for files with specific extensions, on local and mapped network drives. It then displays its ‘ransom note’, which describes what has been done and how to pay the ransom, which is typically $300. You have four days to pay, after which the encryption key will be deleted and your files will be inaccessible forever.

I recently encountered CryptoLocker on a client’s PC. Luckily, the client’s anti-malware software detected the infection and prevented it from doing much damage. Among other things, it prevented CryptoLocker from contacting its control servers, so it never received an encryption key and didn’t encrypt any files. I was able to locate and remove the malware.

If you are hit with this malware, your best protection is a good backup. Without a backup, your only option is to pay the ransom. But don’t feel bad: you’re not alone. Plenty of other people have paid the ransom already.

So this is a good time to issue those familiar warnings to all computer users: back up your data, install good anti-malware software, and do not open email attachments or click email links unless you know the sender and what the email is expected to contain.

Ars Technica has additional information, and Bleeping Computer has an excellent FAQ for CryptoLocker.

WordPress 3.7.1 released

Version 3.7.1 fixes several minor issues that arose in the recent version 3.7 release, including some issues with the new auto-update feature. The official announcement of version 3.7.1 lists the changes.

The release of WordPress 3.7.1 provides a useful test of the new auto-update feature. I administer five WordPress sites, which I updated to version 3.7 the day it became available. Of those five sites, only two have updated themselves to 3.7.1 in the two days since its release. I will continue to update this post as the other three update themselves. Then I’ll decide whether to leave auto-updates enabled or continue to handle updates manually. Update 2013Nov01: two more sites updated themselves in the last day or so. One remains at version 3.7. Update 2013Nov04: one of the sites never updated itself, despite passing the auto-update tests. I updated it manually. I’ve concluded that the auto-update feature is useful, but not to be relied upon – at least not yet.

There have been a lot of reports of problems with the new auto-update feature. Most of these problems relate to hosting providers and limitations they impose on WordPress sites. Some of those problems were resolved in 3.7.1. In any case, you can diagnose auto-update problems using the new plugin Background Update Tester.

Another new plugin named Update Control allows you to control the way auto-updates work, including disabling them completely.

WordPress Tavern has a useful post about the new auto-update feature, titled “WordPress Automatic Updates – No Options For You!” There’s also a post on WordPress.org: “The definitive guide to disabling auto updates in WordPress 3.7.”

Firefox 25 released

Mozilla released Firefox 25 on October 29, with the usual lack of any kind of announcement. I was alerted to the new version via posts on the SANS ISC Diary and the CERT alerts list.

The only thing even close to an announcement of the new version from Mozilla is a blog post from the 29th that describes one of the new features in Firefox 25. The blog post never even mentions the new version.

The version 25 release notes list the changes in this version, which consist of several security vulnerability fixes, a few other bug fixes, Web Audio support, and some CSS and HTML standards tweaks.

The Known Vulnerabilities page shows the security-related fixes in version 25.

Java 7 Update 45 released

As part of a massive quarterly ‘CPU’ (Critical Patch Update), Oracle recently announced Java 7, Update 45 (7u45).

This new version of Java includes several security enhancements, mostly related to Java component deployment. A new button on the Security tab of the Java Control Panel, labeled ‘Restore Security Prompts’, allows the user to completely clear the list of allowed Java applications.

As for the contentious ‘Issue 69‘ Java security vulnerability reported by security researcher Adam Gowdiak: according to Mr. Gowdiak’s latest research, this issue was resolved in Java 7, Update 40 (7u40).